| Title: | *OLD* ALL-IN-1 (tm) Support Conference |
| Notice: | Closed - See Note 4331.l to move to IOSG::ALL-IN-1 |
| Moderator: | IOSG::PYE |
| Created: | Thu Jan 30 1992 |
| Last Modified: | Tue Jan 23 1996 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4343 |
| Total number of notes: | 18308 |
HOW TO PROTECT DRAWERS AGAINST PRIVILIGED USERS
===============================================
Priviliged ALL-IN-1 users can easily access any drawers, folders and
documents using the "index of available drawers" option
(FC$_MO_INDEX_AVAIL_DRAWERS) of the "FC$DRAWER$MGT" form
or using <GOLD><E> when selecting a dokument from wordprocessing
(FC$GOLD_E form).
Relevant VMS-priviliges are BYPASS, SYSPRV and GRPPRV. Also all users
owning a UIC-group belonging to SYSGROUP (UIC-group lower-equal sysgens
MAXSYSGROUP parameter) can access any drawer.
What to do, to make Your ALL-IN-1 System more save!
Reminder: Privileged VMS-Users can do anything. You can not protect your
ALL-IN-1 System against them. But we shouldn't make it them as easy as
it is by default, should we?
1.) Any ALL-IN-1 User should own a SYSGROUP UIC, even the ALLIN1 Managers
account shouldn't own it (It's not nessessary, is it?).
=========================================================================
1.1) Changing a SYSGROUP-owning user!
Log into a priviliged account (SYSTEM/ALLIN1/...)
$ set def sys$system
$ run authorize
UAF> MOD user /UIC=[(>MAXSYSGROUP),????]
UAF> EXIT
(the owner of all files belonging to the User have to be reset!)
$ SET FILE/OWNER=user dev:[000000]user.DIR
$ SET FILE/OWNER=user dev:[user...]*.*.*
(this user should not be logged in, to avoid any locking of files)
1.2) Changing a SYSGROUP-owning ALLIN1 Manager
See 1.1
Reboot your maschine without starting ALL-IN-1 !!!!
Do the SET/FILE/OWNER to all directories belonging to ALL-IN-1.
Don't forget the OA$SHAR* directories!
*IMPORTANT* You should Update following FDL files in OA$LIB:
especialy PROFILE.FDL (the FILECAB-SERVER won't start if you don't !!) !!
ATTENDEE.FDL
PROFILE.FDL
MEETING.FDL
OAN$CONFERENCES.FDL
PENDING.FDL
SDAF.FDL
Do edit them and change the OWNER field to the new ALLIN1 Managers
owner Name!! It probably has been changed !!!
Now you can start your ALL-IN-1 System!
$ @sys$startup:a1v30start dev:[ALLIN1.DATA_SHARE]
2.) Deny privileged users to search for shared drawers !
========================================================
2.1) Create a Commandprocedure to check Processpriv's
$!============================================================
$! OA$LIB_SHARE:GETPRV.COM
$!============================================================
$! PROT=(S:RE;O:RWED;G:RE;W:RE)
$! OWNER = ALLIN1
$!
$!
$ OA := "WRITE OAMAILBOX"
$ DC := "@DCLMAILBOX:"
$!
$INIT:
$ PRV_VALUE = 0
$!
$ IF F$PRIVILEGE("BYPASS")
$ THEN
$ PRV_VALUE = 1
$ GOTO END
$ ENDIF
$ IF F$PRIVILEGE("SYSPRV")
$ THEN
$ PRV_VALUE = 1
$ GOTO END
$ ENDIF
$ IF F$PRIVILEGE("GRPPRV")
$ THEN
$ PRV_VALUE = 1
$ ENDIF
$!
$END:
$ OA "OA GET #PRV_VALUE = ""''PRV_VALUE'"""
$ DC
$ EXIT
$! Author: J�rg Klocke
$!
$! Modified by: | Date: | Reason:
$!---------------------------------------------------------------
$! J�rg Klocke | 15-Jan-1993 19:20 | Element created
$! | |
$!---------------------------------------------------------------
$!
$! A commandprocedure to check process privileges
$!
2.2) Change form FC$DRAWER$MGT.FRM
Modify the field FC$_MO_INDEX_AVAIL_DRAWERS
(Change the OA$DISPLAY message to your comfort!)
$ FMS/LIB/EXTRAXT OA$LIB:OAFORM/FORM=FC$DRAWER$MGT
;;FC$_MO_INDEX_AVAIL_DRAWERS;;
COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1" THEN
GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
ELSE GET #FC_GOLD_F_FLAG = 0\\
FORM FC$IAD$INDEX\\
CLOSE_PRIOR\\
.IF #FC_GOLD_F_FLAG EQ 1 THEN OA$FLD_EXIT
$ FMS/LIB/REPLACE OA$LIB:OAFORM/FORM=FC$DRAWER$MGT
The Form must be replaced in OAFORM to avoid access via ALLIN1/NOCUSTOM !
Save the original Form to be able to restore original capacity !
2.3) Change form FC$IAD$INDEX$ARG.FRM
$ FMS/LIB/EXTRAXT OA$LIB:OAFORM/FORM=FC$IAD$INDEX$ARG
Modify the field .TYPE
(Change the OA$DISPLAY message to your comfort!)
;;.TYPE;;
ARG /OVERLAY /BEGIN=USER
/PRE='
COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1"
THEN GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
\\CLOSE_PRIOR\\FORM FC$DRAWER$MGT
ELSE GET PARTITION = #FC_IAD_PARTITION\\
XOP "~~POST_PARTITION~~"'
/POST='
GET #FC_USER = USER \
GET #FC_DRAWER = DRAWER'
/HARD=FC$_IAD_ARG_HRD
$ FMS/LIB/REPLACE OA$LIB:OAFORM/FORM=FC$IAD$INDEX$ARG
The Form must be replaced in OAFORM to avoid access via ALLIN1/NOCUSTOM !
Save the original Form to be able to restore original capacity !
2.4) Change form FC$GOLD_E.FRM
$ FMS/LIB/EXTRACT OA$LIB:OAFORM/FORM=FC$GOLD_E
Modify the field .GOLD E
(Change the OA$DISPLAY message to your comfort!)
;;.GOLD E;;
COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1"
THEN GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
\\CLOSE_PRIOR
ELSE XOP "~~GOLD_E~~"
$ FMS/LIB/REPLACE OA$LIB:OAFORM/FORM=FC$GOLD_E
The Form must be replaced in OAFORM to avoid access via ALLIN1/NOCUSTOM !
Save the original Form to be able to restore original capacity !
2.5) Change form FC$GOLD_E_DRAWER.FRM
$ FMS/LIB/EXTRAXT OA$LIB:OAFORM/FORM=FC$GOLD_E_DRAWER
Modify the field .TYPE
(Change the OA$DISPLAY message to your comfort!)
;;.TYPE;;
ARG /OVERLAY
/HARD=FC$_HRD_GOLD_E_DRAWER
/BEGIN=USER
/PRE='COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1"
THEN GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
\\CLOSE_PRIOR\\FORM FC$DOCSEL
ELSE GET SYSTEM = #FC_E_SYSTEM\\GET USER = #FC_E_USER\\
GET DRAWERUNIQUE = #FC_E_DRAWER'
$ FMS/LIB/REPLACE OA$LIB:OAFORM/FORM=FC$GOLD_E_DRAWER
The Form must be replaced in OAFORM to avoid access via ALLIN1/NOCUSTOM !
Save the original Form to be able to restore original capacity !
3. Starting ALL-IN-1 from a privileged Account
==============================================
Privileged users should always unset the relevant process privs
before starting ALL-IN-1. Attached command procedure does this work
for them. The ALLIN1 command can be redefined by a symbol (i.e. in
the "INTERACTIVE" part of LOGIN.COM or SYLOGIN.COM) to start this
procedure. (If you define it in SYLOGIN.COM pay attention, that it
will be redefined to ALLIN1 for the ALL-IN-1 Manager's and the
SYSTEM account to avoid problems while starting ALL-IN-1!!)
$ ALLI*N1 :== @OA$LIB:ALLIN1.COM
or
$ A1 :== @OA$LIB:ALLIN1.COM
$!===============================================================
$!ALLIN1.COM
$!===============================================================
$ SET NOON
$ SET NOVERI
$!
$! Initialize variables
$!
$ PRV_BYPASS = 0
$ PRV_SYSPRV = 0
$ PRV_GRPPRV = 0
$!
$! Check and remember priv's
$!
$ IF F$PRIVILEGE("BYPASS")
$ THEN
$ SET PROC/PRIV=(NOBYPASS)
$ PRV_BYPASS = 1
$ ENDIF
$ IF F$PRIVILEGE("SYSPRV")
$ THEN
$ SET PROC/PRIV=(NOSYSPRV)
$ PRV_SYSPRV = 1
$ ENDIF
$ IF F$PRIVILEGE("GRPPRV")
$ THEN
$ SET PROC/PRIV=(NOGRPPRV)
$ PRV_GRPPRV = 1
$ ENDIF
$!
$! Starting ALL-IN-1
$!
$ ASSIGN/USER 'F$LOGICAL("SYS$OUTPUT")' SYS$INPUT
$ STARTALLIN1 = "ALLIN1"
$ STARTALLIN1
$ DELETE/SYMBOL STARTALLIN1
$!
$! Reset priv's
$!
$ IF PRV_BYPASS .EQ. 1 THEN SET PROC/PRIV=BYPASS
$ IF PRV_SYSPRV .EQ. 1 THEN SET PROC/PRIV=SYSPRV
$ IF PRV_GRPPRV .EQ. 1 THEN SET PROC/PRIV=GRPPRV
$ EXIT
$!
REMINDER
If you grand read access to a priviliged user and this user adds the
Drawer to his FILECAB and reenters ALL-IN-1 with privileges, he will
have all rights on this Drawer (Read/Create/Modify/Delete/Manage).
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 2165.1 | If you don't trust people - take their privs away! | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Wed Jan 27 1993 19:19 | 30 |
Generally speaking, privileged users will be able to read anything they
like anyway. All you can do is make it a bit harder for them, and stop
them stumbling across interesting things.
If you can't trust your privileged users, take their privileges away.
If you can't do that, remind them that using their privileges to read
someone's mail is the same as searching through the paper mail in their
desk. Both of these are offences you can be fired form the company for.
You can still do a loop through the partition file looking for
interesting things.
Regarding FDLs, they don't need the owner field at all IMO, I'd remove
it completely. We try to remove them from any FDLs we ship if possible.
Your command procedure OA$LIB_SHARE:GETPRV.COM can be simplified by
testing for all privileges at once:
$ Prv_value = f$priv("SYSPRV") .or. f$priv("BYPASS") .or. f$priv("GRPPRV")
Similarly your ALLIN1.COM procedure can be simplified using the F$SETPRV
lexical:
Saved_privs = f$setprv( "NOSYSPRV,NOBYPASS,NOGRPPRV" )
resetting them with:
Dummy = f$setprv( Saved_privs )
Graham
| |||||
| 2165.2 | Fire the mail hackers | GTI205::REDMOND | Thoughts of an Idle Mind | Thu Jan 28 1993 11:04 | 8 |
I agree with GAP. If your privileged users are messing around then they should be fired. Making this a company policy usually cures the desires of hot sweaty hackers who engage in this kind of activity. Anyone with privs and a knowledge of FOR PARTITION... and CABINET SET_DRAWER can easily get around the command procedure check. But maybe you're just blocking the DCL types who use ALL-IN-1 rarely and couldn't care about scripting and the like? Tony | |||||
| 2165.3 | Protect Users to become a spy | COLA1::KLOCKE | J�rg Klocke | Thu Jan 28 1993 16:49 | 11 |
These procedures do not have the intention to protect ALL-IN-1
against hackers, but it should protect users, who are playing
around with the system and are looking for all the fancy features
of ALL-IN-1 to become a spy maybe by accident. Most of the users
don't have the knowledge of hacking around in ALL-IN-1.
So if someone tries to workaround the checks is a real hacker and
should be fired defnetly.
These procedures do have the intention to protect simple users of
doing stupid things.
J�rg
| |||||
| 2165.4 | Two more holes detected | COL01::KLOCKE | Wed Feb 17 1993 13:59 | 32 | |
Privileged users can access foreign MAIL-Drawers via the SMU option.
You can deny access as described in .0 by modifying forms EMC3 and EM$SMU.
Changed ND of EMC3:
;;EM$_MO_SET_MAIL_USER;;
COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1" THEN
GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
ELSE FORM EM$SMU\\
CLOSE_PRIOR\\
.IF OA$MAIL_USER EQS OA$USER
THEN GET MAIL$USER = ""\\\\
GET MAIL$USER$H = ""
Changed ND of EM$SMU:
;;.TYPE;;
ARG /OVERLAY
/PRE='COMMAND OA$LIB:FC_GETPRV.COM\.IF #PRV_VALUE = "1" THEN
GET OA$DISPLAY "You are not allowed to use this funktion !"\\FORCE
ELSE XOP "~~SMU_PRE~~"'
/POST='
.IF OA$FORM_DISPOSE EQ 0
THEN
GET OA$DISPLAY = EM$_SMU_NO_CHANGE'
/HARD=EM$_HRD_SET_MAIL_USER
Ciao J�rg
| |||||
| 2165.5 | I think it is too easy | IOSG::TALLETT | Gimmee an Alpha colour notebook... | Wed Feb 17 1993 19:54 | 14 |
In contrast to the comments of "Take away their privs if you
don't trust them" I quite like the idea of separating ALL-IN-1
access from VMS access. True, someone with CMEXEC can access
anything on a given machine, but why make it easy for them? Not
everyone has the time/patience/know-how. Its a bit like locking
your drawers in your desk and leaving the keys on a hook on the
wall. It raises the stakes if you get caught.
I don't believe most people with BYPASS were given it so that they
could SMU to everyone's account.
Regards,
Paul
| |||||